https://stackoverflow.com/questions/22966217
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianIs there any problems with that solution?
If you store the token in the per-document DOM/JS context, then you potentially break navigation and multi-tab usage of your application. (eg imagine Following someone then clicking Back and Following someone on the previous page. The old page's token is now invalid and the operation fails.) This is the reason single-use CSRF tokens are generally a bad thing.
it seems more secure to prevent these things on the server side not the client.
Indeed, but a single-use token doesn't really prevent a user making mass requests, it just means they have to grab a new token each time.
It sounds like what you would really need is some kind of server-side rate-limiting solution. That could be implemented at the server level (mod_evasive et al) and/or in the application (necessary if you want targeted limiting of particular functions identified as sensitive).
What's your threat model? Having one account follow everyone doesn't immediately seem like a attack; what's the negative impact and why would an attacker want to do it? If it's something like “to cause a nuisance by sending follow notifications to everyone” maybe a better answer would lie in providing better tools to manage/ignore notifications, for example.
